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DETAILED ACTION 

1. This office action is in reply to an amendment filed on May 31, 2006. Claims 1-35 are 
pending. 

Response to Arguments 

2. Applicant's arguments filed May 31 , 2006 have been fully considered but they are not 
persuasive. Applicant argues that Li (US 6,567,408) fails to teach classifying data packets 
received from a first classification stage based on a second set of characteristics, where the first 
classification stage is capable of classifying the data packets based on a first set of packet 
characteristics. Examiner disagrees. 

3. Examiner would point out that, Li teaches classifying a stream of packets received at 
ESP 24, wherein classification is carried out by a first classification stage, based on a first set of 
packet characteristics (i.e., for example, arriving packets at ESP 24 are first classified into, 
VOICE (REAL TIME), HTTP (BEST EFFORT) AND OTHERS (BEST EFFORT), see figure 4, 
level 1, level 2 and nodes 40, 48 & 46). Furthermore, Li teaches classifying. the data packets 
received from the first classification stage based on a second set of characteristics (i.e., packets 
classified in the first stage, for example node 48 of figure 4, HTTP (BEST EFFORT), are further 
classified in a second stage into MARKETING & OTHERS, see level 3, nodes 48, 42 and 44 of 
figure 4, and column 6, lines 37 - column 7, line 17). 

4. With respect to dependent claims 4, 6 and 14, applicant argued that Vaidya fails to teach 
classifying packets within each of the groups according to packet type or size and further fails to 
teach the limitation "wherein the lookup table is performed in a flow table and further comprising 
updating field of the flow table." Examiner disagrees. 
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Examiner would point out that both Vaidya and Li teach classifying packets according to 
packet size or type [see Vaidya, column 9, lines 46-61 and column 7, lines 2-21 and Li column 
7, lines 21-53] and furthermore, teach performing table lookup in a flow table, further comprising 
updating field of the flow table, [see Vaidya, column 7, lines 2-11 and column 9, lines 27-35 and 
Li, column 3, line 63-column 4, lines 20]. Examiner asserts the art on record teaches the claim 
limitations and therefore the rejection is respectfully maintained. 



Claim Rejections - 35 USC § 103 

5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 

obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

6. Claim 1,3-11, 13-19, 30 and 31-35 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Vaidya US Patent 6,279,1 13 B1 in view of Li et al. US Patent 6,567,408 B1 
(hereinafter Li). 

7. As per claims 1 and 30, Vaidya teaches a method for detecting intrusion on a network, 

comprising: 

storing signature profiles identifying patterns associated with network intrusion in a 
signature database [column 3, lines 27-38 and column 6, lines 35-42]; 

generating classification rules based on said signature profiles [column 3, line 65 - 
column 4, line 8]; 

receiving data packets transmitted on the network [column 6, lines 60-68]; 
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classifying data packets having corresponding classification rules according to said 
generated classification njles [column 6, line 57 - column 7, line 10]; 

foHA/arding said classified packets to a signature engine for comparison with signature 
profiles [column 6, lines 63 - column 7, lines 5 and column 7, lines 11-21]. Vaidya further 
teaches classifying data packets according to classification rules [column 6, line 57- column 7, 
line 10]. Vaidya is silent on carrying out the classification by a first classification stage capable 
of classifying the data packets and a second classification stage capable of classifying the data 
packets received from the first classification stage. However, classification of data packets with 
multi-level stages is well known in the art, which has the advantage of enhancing the 
performance and efficiency of the system. For example, Li teaches carrying out classification by 
a first classification stage capable of classifying the data packets on a first set of packet 
characteristics and a second classification stage capable of classifying the data packets 
received from the first classification stage based on a second set of characteristics [column 3, 
line 63-column 4, line 7, column 6, lines 37-67 and figure 7A]. Therefore, it would have been 
obvious to one having ordinary skill in the art at the time of applicant's invention to employ the 
teachings of Li within the system of Vaidya in order to enhance the performance and efficiency 
of the system. 

8. As per claims 3-9, Vaidya further teaches classifying said packets according to at least 
one packet field into groups [column 9, lines 46-61 and column 7, lines 2-21]. 

9. As per claims 10, 11, 13 and 14, Vaidya further teaches performing a table lookup to 
select an action to be performed on said packet based on its classification [column 7, lines 2-1 1 
and column 9, lines 27-35]. 
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10. As per claims 15 and 16, Vaidya further teaches partitioning signatures into disjoint 
groups to define subsets of signature profiles [column 6, lines 27-42]. 

11. As per claims 17-19, Vaidya further teaches filtering received packets and capturing 
packets at a network analysis device [column 8, lines 40-55], 

12. As per claim 31 , Li further teaches the method wherein the first set of packet 
characteristics includes at least one of a destination address, a protocol type and a destination 
port number [column 9, lines 37-60 and figures 6 & 7A]. 

13. As per claim 32, Li further teaches the method wherein the second set of packet 
characteristics includes at least one of packet type and a size [column 6, lines 37-67]. 

14. As per claims 33 and 34, Li further teaches the method wherein only the second 
classification stage remains in communication with a flow table for identifying an action to be 
taken with respect to the data packets [column 6, lines 37-67 and figures 7and & A]. 

15. As per claim 35, Vaidya further teaches the method wherein the classification rules are 
generated after filtering the data packets [column 3, line 65 - column 4, line 8]. 

16. Claims 20-29 are rejected under 35 U.S.C. 103(a) as being unpatentable over by 
Copeland, III US Pub. 2002/0144156 A1 (hereinafter Copeland) in view of Li US Patent 
6,567,408 B1. 
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17. As per claim 20, Copeland teaches an intrusion detection system comprising: 

a signature classifier comprising a classifier operable to classify packets according to at 
least one packet field into groups [paragraph 0139, 0140 and 0165]; 

a flow table configured to support table lookups of actions associated with classified 
packets [paragraphs 0148, 0149]; 

a signature database for storing signature profiles identifying patterns associated with 
network intrusion [paragraphs 0020, 0153-0155]; and 

a detection engine operable to perform a table lookup at the flow table select an action 
to be performed on said packet based on its classification, wherein comparing said packets to at 
least a subset of the signature profiles is one of the actions [paragraphs 0157 -0159 and 0163- 
0165]. Furthermore, Copeland teaches classifying data packets according to data packet 
information [paragraph 0139, 0140 and 0165]. Copeland is silent on a classifier comprising a 
first stage classifier operable to classify packets according to at least one packet field into 
groups and a second stage classifier operable to classify said packets within each of the groups 
according to packet type or size. However, classification of data packets with multi-level stages 
is well known in the art, which has the advantage of enhancing the performance and efficiency 
of the system. For example, Li teaches classifier comprising a first stage classifier operable to 
classify packets according to at least one packet field into groups and a second stage classifier 
operable to classify said packets within each of the groups according to packet type or size 
[column 3, line 63-column 4, line 7, column 6, lines 37-67 and figure 7A]. Therefore, it would 
have been obvious to one having ordinary skill in the art at the time of applicant's invention to 
employ the teachings of Li within the system of Copeland in order to enhance the performance 
and efficiency of the system. 
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18. As per claims 21 and 22, Copeland teaches the system further comprising a data 
monitoring device having a capture engine operable to capture data passing through the 
networic and configured to monitor network traffic, decode protocols, and analyze received data 
[paragraph 0137]. 

19. As per claim 23, Copeland further teaches a parser operable to parse, generate and 
load signatures at the detection engine [paragraphs 0142-0146]. 

20. As per claims 24, Copeland further teaches the system comprising an alarm manager 
operable to generate alarms [paragraphs 0162-0164]. 

21 . As per claims 25 and 26, Copeland further teaches a filter configured to filter out packets 
received at the intrusion detection system [paragraphs 0139-0141]. 

22. As per claim 27, Copeland further teaches the flow table is a hash table [paragraphs 
0149-0150] 

23. As per claims 28 and 29, Copeland further teaches action options listed in the flow table 
include dropping the packet and generating an alarm [paragraph 0165]. 

24. Claims 2 and 12 are rejected under 35 U.S.C. 103(a) as being unpatentable over Vaidya 
US Patent 6,279,113 in view of Li et al. US Patent 6.567,408 B1 and further in view of Copeland 
US Pub. 2002/0144156 Al. 
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25. As per claims 2 and 12, Vaidya-LI teache the method as applied to claim 1 above. 
Vaidya-Li is silent on the method comprising dropping data packets without corresponding 
classification rules. However, Copeland teaches an intrusion detection system including 
dropping data packets without corresponding classification rules [paragraph 0165]. Both Vaidya- 
Li and Copeland teach a network intrusion detection system. It would have been obvious to one 
having ordinary skill in the art at the time of applicant's invention to employ the teachings of 
Copeland within the system of Vaidya-LI in order to enhance the security of the system. 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time policy 
as set forth in 37 CFR 1 . 1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1.136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the mailing date 
of this final action. 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Beemnet W. Dada whose telephone number is (571) 272-3847. The 
examiner can normally be reached on Monday - Friday (9:00 am - 5:30 pm). 
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If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Y. Vu can be reached on (571) 272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private 
PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you 
would like assistance from a USPTO Customer Service Representative or access to the 
automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



July 18, 2006 



Beemnet Dada 
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